“He did not simply take money for himself, but he reinvested it into developing his operation and making it more desirable to criminals,” DiMaggio says. Throughout the lifecycle of the LockBit group, two major updates and releases of its malware happened, with each more capable and easier to use than the last. Analysis from the law enforcement operation by security company Trend Micro shows it was working on a new version too.

DiMaggio says the person he was speaking to privately using the LockBitSupp moniker was “arrogant” but “all business and very serious”—aside from sending cat stickers as part of chats. Publicly, on Russian language cybercrime forums where hackers trade data and discuss hacking politics and news, LockBitSupp was entirely different, DiMaggio says.

“The persona he amplified on the Russian hacking forums was a mix of a supervillain and Tony Montana from Scarface,” DiMaggio says. “He flaunted his success and money, and it rubbed people the wrong way at times.”

In addition to setting a bounty on their own identity, LockBitSupp’s more innovative and erratic side also organized an essay-writing competition on the hacking forums, offered a “bug bounty” if people found flaws in LockBit’s code, and said they would pay $1,000 to anyone who got the LockBit logo as a tattoo. Around 20 people posted pictures and videos of their tattoos.

Soon after law enforcement claimed to have revealed LockBitSupp’s identity, DiMaggio published new research about Khoroshev. Using a tip he received, plus open source intelligence and leaked information on the dark web, DiMaggio found social media profiles and extra personal information believed to be linked to the Russian national.

“He owns several legitimate businesses, also based out of Voronezh, drives a Mercedes, and previously owned a Mazda 6, not a lambo as he often boasts,” DiMaggio writes in the research. One of the email addresses included in the sanctions has links to a Russia-based e-commerce business registered in the name of Khoroshev, he writes. Several other emails and phone numbers were connected to these details, DiMaggio’s research says.

LockBitSupp was banned from two prominent Russian-language cybercrime forums in January after a complaint was made about their behavior. “They’ve made partners, supporters, haters, and fans over the years,” says Victoria Kivilevich, director of threat research at security firm KELA.

Analysis of cybercrime forums by Kivilevich shows the Russian-language ecosystems had mixed responses, including surprise when LockBit was first compromised by law enforcement. “Users gloating that LockBit finally failed and got what he deserved, making references to his statements where he bragged how [about how] LockBit ‘RaaS’ is secure and better than any other operations,” Kivilevich says.

Other forum users questioned the technical decisions of LockBitSupp and whether they had collaborated with law enforcement, the researcher says. There were forum users who reacted neutrally, “mostly saying the operation won’t affect LockBit much and the operation will continue to exist,” Kivilevich says.

Downfall

After Operation Cronos took LockBit offline in February, it took LockBitSupp only five days to create replica versions of the group’s leak site. The website then started to be filled with apparent victims; it seemed like the LockBit group hadn’t been impacted by having all of its internal secrets accessed by police around the world.

These recently posted victims aren’t what they seem, though, multiple experts say. “The actual law enforcement intervention has been significant,” says Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group. The NCA says the number of LockBit affiliates has dropped to 69 since its February takedown, while the DOJ indictment says LockBit’s victim count has “greatly diminished” since then.